Is iPatch Tuesday In Apple's Future?Is iPatch Tuesday In Apple's Future?

It's an odd thing about Apple that the iPhone and iPad have made it an important player in enterprise computing. And yet, it doesn't seem to want to talk about it. It's as if Apple is embarrassed to be dealing with big business. It certainly doesn't have a history of adapting its practices to the needs of enterprises, which is a way of life for Microsoft. How much longer can this go on?

But in spite of Apple ignoring them, big businesses bought iPhones and iPads as fast as they could and are trying to use them for real business computing. And, while you won't find Apple bragging about it in public, the iPhone has many features that are there because businesses demand them--features like IT policy-enforced device encryption and remote wipe, both available through (somewhat ironically) Microsoft ActiveSync.

An Apple business practice that doesn't really work for business is its vulnerability patching. Security updates to iOS can appear out of the blue. This is not a good thing from a business standpoint.

Microsoft long ago recognized that businesses with large numbers of computers to manage wanted to be able to plan for patching events, so it instituted "Patch Tuesday". Updates to products happen on the second Tuesday of the month. On the previous Thursday Microsoft releases an Advance Notification which lists the affected products, the number of updates, their severity, and whether reboots might be required. If a severe enough event pops up, Microsoft might issue an off-schedule or "out of band" update, but there have been few of these.

Businesses can use this information to plan, and the practice has been a success. It has even been emulated by other major software companies, such as Oracle and Adobe. It's also not uncommon for other software companies to release their own updates for Microsoft's Patch Tuesday, perhaps to hide behind the negative publicity Microsoft inevitably receives.

But Apple likes to "think different." When a security update for iOS comes out it's usually without any real warning and IT has to decide what to do. Large enterprises often use management systems, including MDM or Mobile Device Management such as MobileIron, which includes an enterprise app store. This allows IT not only to distribute its own applications to its users without having to include them in the Apple App Store, but to manage the distribution of Apple's and third parties' apps.

With tools like this available, all that's left for Apple to do is provide some regularity and guidance to customers for upcoming patch events. This would allow it to plan for rolling out the patches in a sane and organized manner, as opposed to blasting it out to everyone all at once.

Mark Kelly of Information Security HeadQuarters argues for this in his blog. Kelly goes further, predicting that an iOS security incident "responsible for a big intellectual property loss" will happen in the next six months. It's completely plausible, but unless he's planning to conduct the attack himself he can't really know.

The myth of Apple's immunity to security breaches has no currency in the security community and the message is finally getting through to mainstream users and IT. Mac OS X and iOS are different, though. Mass attacks are a reasonable scenario for Mac users and there have been some, but for iOS the App Store model makes mass attacks very difficult to conduct.

Targeted attacks are another matter. If a hacker knows a certain company uses iOS, he could certainly put an exploit of an unpatched iOS vulnerability up on a website and lure a company employee to it with a targeted e-mail. Such attacks are more expensive and risky to conduct so they would only be used for high-value targets. It's possible there have already been such attacks and they've either gone unnoticed or have been successfully hushed up.

Either way, the threat is there and real in spite of the formidable security of the App Store. The right way to deal with it is to put the patching system on a more professional basis, with a known schedule and some advance notification--both for iOS and OS X. Kelly predicts this too: "Within one year Apple will establish a fixed monthly patch window date." I won't go that far. Apple seems reluctant to take formal and public measures for security, especially for business. But I hope I'm wrong.